MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
SHA3-384 hash: d756bd91690dc529d94d5c8ad7957f84f0992498c8643bf065458e32af95d50506d6cfddb532678895fd271e1669877f
SHA1 hash: 81f575d685775cd1c27ad0c43b55a6d398ba0023
MD5 hash: 9536985f58e43f8eb4629534c6787951
humanhash: butter-juliet-seven-washington
File name:prc.dll
Download: download sample
Signature DanaBot
Create hunting rule
File size:3'475'968 bytes
First seen:2020-05-15 06:56:19 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3c40312a17d7028c500c6468084c6a58 (7 x Gozi, 2 x DanaBot)
ssdeep 49152:vBB+DbwBoIK6d8kMvEOzzW2efqjnNXmUp+wtyQoI/M8VglMCXL1xFN/ZtakkoOmE:vQDGa/maNWa+KwhxzRkczXTgdt
Threatray 21 similar samples on MalwareBazaar
TLSH 89F5DF107712D038F56B0A7AEC3ED4FA95287E459B3818D730C56E8F2633AD65872B1B
Reporter abuse_ch
Tags:DanaBot dll geo POL


Avatar
abuse_ch
Malspam distributing DanaBot:

HELO: mout-xforward.gmx.com
Sending IP: 82.165.159.130
From: PLAY 24 <Gretta.Hyman14192@mail.com>
Subject: efaktura - PLAY24 2889961
Attachment: faktura_30.xlsm

DanaBot payload URL:
http://post-990094.at/3/prc.dll

DanaBot C2s:
172.81.129.196:443
192.236.179.73:443
192.99.219.207:443
23.82.140.201:443
45.147.228.92:443
51.255.134.130:443
54.38.22.65:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
815
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3779/
Detection(s):
SecuriteInfo.com.Win32.Kryptik.HDJT.13455.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Danabot
Create hunting rule
Status:
Malicious
First seen:
2020-05-15 07:36:12 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 30 (70.00%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
2a46d6c287851041f7a352051cadd95de3379b8878191c925f7d423a475936e6
DanaBot
3c6d1adb8c659c6608e4fa44fe880adb352bd9e8491430b4f559604fd412e181
DanaBot
4bf2f4dd9ecaa28ecebae186a118cf66f8fce7ee8790351ca7224516ff47010e
DanaBot
504eb3ba676729d316c8f6639ae45b0be030124e0c3007e9edade3b57b49e708
DanaBot
5d65fcb03519e2de623db04685570406c586ee4d121c9381910932cf2e1bd344
DanaBot
7df6cffe72503e47063c3b80da0e2df2d3932fa50cb08daa8f0d0aa8ec7d8184
DanaBot
a5bd1ac8e6458e40e63cf558145dbd06cc2700d97f9ed3ae5a161b165ca6c035
DanaBot
c2d9409c2209201334bd83a2e1257be8adc7506019a721abe359249dbd74eced
DanaBot
c58594d414c882ce33499233c2f508789e5fa4d91b79ef01d763012e39d7b095
DanaBot
da19555286a99fed6a4a84c0c4b76e793618299f6d4cc2fe31373ddc033d8dcc
DanaBot
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-53y6vc4zb2/
Behaviour
Suspicious use of WriteProcessMemory
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_danabot_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DanaBot

Excel file xlsm 0ad234bb3f6d830cfdb896b8f45b59b8790e72fd3b834242ab1a35a0a7eb21a0

DanaBot

DLL dll 32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/363052/
  
Dropped by
MD5 2775e2b90b05b2899e83d063948cd1c9
  
Dropped by
SHA256 0ad234bb3f6d830cfdb896b8f45b59b8790e72fd3b834242ab1a35a0a7eb21a0
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/3779/
Cape
Cape
https://www.capesandbox.com/analysis/3778/
Cape
Cape
https://www.capesandbox.com/analysis/3774/
Cape
Cape
https://www.capesandbox.com/analysis/3770/
Cape
Cape
https://www.capesandbox.com/analysis/3768/

Comments